SMTP Authentication Guide for Email Security 2024

SMTP Authentication Guide for Email Security 2024
Published in : 28 Dec 2023

SMTP Authentication Guide for Email Security 2024

SMTP authentication can significantly increase the security of your SMTP server. Once the authentication procedure is configured, only trusted SMTP users or clients will be able to send emails.

What is SMTP authentication?

SMTP authentication, often abbreviated as SMTP-Auth or ASMTP, is an extension of Extended SMTP (ESMTP), which itself is an extension of the SMTP network protocol. It allows an SMTP client to connect to an SMTP server using an authentication mechanism.

This means that only trusted users can send emails over the network and transfer them via the server. Log data can also be used to determine who used the server as an SMTP relay.

Why does SMTP-Auth exist?

The purpose of SMTP-Auth is to prevent an SMTP server from being used as an "Open Mail Relay" to distribute spam over the network. Of course, the situation today is far from being as critical as before, but we still regularly come across servers with open relays for which no SMTP authentication is in place.

This is sometimes the result of the carelessness of inexperienced administrators who temporarily open their servers for testing purposes. More often, the problem comes from poorly configured firewalls and external security applications.

Open email relays are usually identified as such after a few days or even hours. They then end up on blacklists, so the consequences of giving up SMTP authentication should not be underestimated.

Also Read: Two Factor Authentication Importance Guide 2023

As a result, server owners face a significant increase in traffic due to the popularity of open mail servers for spam. This damages their reputation and requires additional time and effort. These problems also have a financial cost. It is precisely for this reason that almost all mail servers today use ESMTP in combination with ASMTP (Extended SMTP with SMTP authentication).

How does ASMTP work?

A key feature of ASMTP is that emails are accepted via TCP port 587 (the SMTP-Auth-Port) instead of the traditional TCP port 25, which is the mandatory base for ESMTP. The protocol contains a selection of authentication mechanisms with different security levels that an SMTP server can use depending on its configuration to verify the trustworthiness of an SMTP client.

 

These include, but are not limited to, the following:

 

  1. PLAIN: Authentication using the client's username and password. Both are transmitted in the explicit and encoded in the Base64 character set.
  2. LOGIN: Works like PLAIN, but the Base64 codes for username and password are passed in two steps instead of one.
  3. CRAM-MD5: an alternative to PLAIN and LOGIN with a higher level of security according to the challenge-response principle. With this mechanism, the password is not transmitted to the server in clear text or code. Instead, the server gives the client some arithmetic problem that can only be solved using the password.
  4. Other mechanisms are also proposed: GSSAPI, DIGEST-MD5, MD5, OAUTH10A, OAUTHEBEARER, SCRAM-SHA-1, and NTLM.

 

How to configure SMTP authentication?

In most email clients, SMTP authentication is usually configured automatically when a new account is created. If that doesn't work, you may need to help manually. Below are instructions for setup in Gmail, Outlook, and Yahoo Email.

 

Configure SMTP-Auth in Outlook

 

  1. Click "Account Settings" in the "File" menu.
  2. Select your account and click "Edit".
  3. Click "Other Settings" in the window that opens.
  4. Go to the Outgoing Mail Server tab and select the "Outgoing Mail Server (SMTP) Requires Authentication" option.
  5. Check the "Use the same settings as for incoming mail server" box.
  6. Confirm with "OK". The window closes.
  7. Click "Next". Outlook will now check the new account settings. Once the test is complete, click "Close".
  8. Click "Finish" then "Close".

Microsoft 365 users can also enable SMTP authentication in the 365 admin center or through Windows PowerShell.

 

Configure SMTP-Auth in Gmail

If you connect your Gmail address to a desktop client, you can also enable SMTP authentication:

 

  1. Log in to your Gmail account.
  2. Tap “Settings” and select “Show all settings”.
  3. Switch to the “Redirection & POP/IMAP” tab.
  4. Now you can click on the “More information” link under “POP Download” or “IMAP Access”.
  5. You will finally be redirected to the configuration instructions, where you will find, among other things, all the information about the outgoing mail server (SMTP) as SMTP authentication.

 

How to test SMTP-Auth?

You can use the Telnet client to check whether a mail server is used as an open relay or whether SMTP-Auth is working correctly (for example, if you configure your mail server). Some spammers also use this solution to locate empty email relays manually. SMTP and ESMTP are purely text-based protocols, so you can also start and run a client-server session manually.

You can also perform the SMTP authentication test using external web tools such as SMTP Diagnostic from MxToolbox:

 

  1. Open SMTP Diagnostic.
  2. Enter the address of the SMTP server or any email address using the SMTP server in the input field.
  3. Tap “Test Email Server”.
  4. After a few moments, you obtain a list with the most essential information, in particular concerning SMTP authentication: the “SMTP Open Relay” line tells you whether authentication is activated or not.

 

FAQs

Q: What is SMTP authentication, and why is it important?

A: SMTP authentication, or SMTP-Auth, is an extension of the Extended SMTP (ESMTP) protocol, enabling an SMTP client to connect to a server using authentication mechanisms. It is crucial to prevent SMTP servers from being used as "Open Mail Relays," which could lead to the distribution of spam. By authenticating users, only trusted individuals can send emails, enhancing overall email server security.

Q: How does SMTP-Auth work, and what are the key features?

A: SMTP-Auth operates via TCP port 587, an alternative to the traditional port 25 used by ESMTP. It offers various authentication mechanisms such as PLAIN, LOGIN, CRAM-MD5, GSSAPI, and others. These mechanisms ensure the verification of the trustworthiness of an SMTP client by requiring authentication credentials, enhancing the security of email transmission.

Q: What are the common authentication mechanisms used in SMTP-Auth?

A: Common authentication mechanisms in SMTP-Auth include PLAIN, LOGIN, CRAM-MD5, GSSAPI, DIGEST-MD5, MD5, OAUTH10A, OAUTHEBEARER, SCRAM-SHA-1, and NTLM. Each mechanism provides different levels of security, allowing SMTP servers to choose the most suitable option based on their configuration and security requirements.

Q: How can I configure SMTP authentication in Outlook?

A: To configure SMTP authentication in Outlook, follow these steps:

 

  1. Click "Account Settings" in the "File" menu.
  2. Select your account and click "Edit."
  3. Navigate to the Outgoing Mail Server tab and choose "Outgoing Mail Server (SMTP) Requires Authentication."
  4. Check the "Use the same settings as for incoming mail server" box.
  5. Confirm with "OK" and proceed with the account setup.

 

Q: Can I test SMTP-Auth to ensure it is working correctly?

A: Yes, you can use the Telnet client to manually check SMTP-Auth or use external web tools like SMTP Diagnostic from MxToolbox. For Telnet, initiate a client-server session manually to verify proper functioning. With SMTP Diagnostic, enter the SMTP server address or any email address using the SMTP server, tap "Test Email Server," and review the results, including the "SMTP Open Relay" line indicating whether authentication is activated.

Q: Why should I enable SMTP authentication for my email server?

A: Enabling SMTP authentication is crucial for preventing unauthorized use of your server as an open relay, reducing the risk of spam distribution. It helps maintain the reputation of your email server, prevents blocklisting, and enhances overall email security. SMTP authentication ensures that only trusted users with valid credentials can send emails through your server, mitigating potential security threats.